Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action

Purpose – The purpose of this paper is to empirically validate the conjectural relationship between managerial information security awareness (MISA) and managerial actions toward information security (MATIS).Design/methodology/approach – A model is developed and the relationship between MISA and MATIS is tested using a large set of empirical data collected across different types and sizes of enterprises. The hypotheses of the research model are tested with regression analysis.Findings – The results of the study provide empirical support that MATIS is directly and positively related to MISA.Research limitations/implications – The R2, an estimate of the proportion of the total variation in the data set that is explained by the model, is relatively low. This fact implies that there are other constructs in addition to MISA that play a crucial role in determining MATIS. The paper suggests that intention to act and the risk‐cost tradeoff of the MATIS are other possible constructs that should be incorporated int...

[1]  R. Sitgreaves Psychometric theory (2nd ed.). , 1979 .

[2]  Donna M. Bickford,et al.  Activism and Service-Learning: Reframing Volunteerism As Acts of Dissent , 2002 .

[3]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[4]  Bradley K. Jensen,et al.  Information Security: An Organizational Change Perspective , 2004, AMCIS.

[5]  Guy G. Gable,et al.  IT Security: The Need for International Cooperation, Proceedings of the IFIP TC11, Eigth International Conference on Information Security, IFIP/Sec '92, Singapore, 27-29 May 1992 , 1992, SEC.

[6]  John Fowler Developing The Security Culture At The SEISMED Reference Centres , 1996, Towards Security in Medical Telematics.

[7]  A Koestler,et al.  Ghost in the Machine , 1970 .

[8]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[9]  David C. Yen,et al.  Awareness and challenges of Internet security , 2000, Inf. Manag. Comput. Secur..

[10]  Shamkant B. Navathe,et al.  A Management Perspective on Risk of Security Threats to Information Systems , 2005, Inf. Technol. Manag..

[11]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[12]  Mikko T. Siponen,et al.  Ontology of organizational IT security awareness-from theoretical foundations to practical framework , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[13]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[14]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[15]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[16]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[17]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[18]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[19]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[20]  Nandini Rajagopalan,et al.  TOWARD A THEORY OF STRATEGIC CHANGE: A MULTI-LENS PERSPECTIVE AND INTEGRATIVE FRAMEWORK , 1997 .

[21]  Deborah G. Wooldridge,et al.  Sexual awareness: contraception sexual behaviors and sexual attitudes. , 1998 .

[22]  David Icove,et al.  Computer crime - a crimefighter's handbook , 1995, Computer security.

[23]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[24]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[25]  D. Parker Computer Security Management , 1981 .

[26]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[27]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[28]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[29]  Udo W. Pooch,et al.  Computer system and network security , 1995 .

[30]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[31]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[32]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[33]  William E. Perry,et al.  Management Strategies for Computer Security , 1985 .

[34]  Anthony Biglan,et al.  Why Have We Been More Successful in Reducing Tobacco Use Than Violent Crime? , 2000, American journal of community psychology.

[35]  Tom Stafford,et al.  Spyware: The Ghost in the Machine , 2004, Commun. Assoc. Inf. Syst..

[36]  Gregory Morwood,et al.  Business continuity: awareness and training programmes , 1998, Inf. Manag. Comput. Secur..

[37]  Kevin J. Fitzgerald Information security baselines , 1995, Inf. Manag. Comput. Secur..

[38]  Qing Hu,et al.  Is spyware an Internet nuisance or public menace? , 2005, CACM.

[39]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .